SBoM's are one of the most focused entities in current secure development paradigm. However, focus is solely on creation of SBoM owing to its compliance requirements it's been focused as another checkbox at this point. However, SBoM's for the first time in a long run is trying to solve the right problem i.e. Inventory.
While we believe that SBoM on its own is not the final solution for supply chain security issues, we also strongly believe it's a solid step in the right direction. Hence, we have come up with this SBoM Masterclass where we wanted to focus on not just creation but consumption and usage of SBoM. SBoM being the inventory has a myriad usage that goes beyond the limited scope of just thirdparty library vulnerability status detection. This course focuses on different usage and identifies scenarios where SBoM would be useful.
Beginner / Intermediate
A!endees need to have a basic understand of software development life cycle. We will cover SBoM from start to finish but awareness of general development practices, git and GitHub usage is expected from them. Course assumes basic familiarity with command-line and Linux.
Our labs are cloud based, and a browser should be sufficient. However, we will still suggest following hardware specs:
A!endees will need to come with a GitHub account. A fresh organization would be created for all the operations. Any other associated tooling will be provided over a cloud VM for this activity.
Supply chain security is an ever-present threat looming over organizations. Software Bill of Materials (SBOMs) are a critical piece of the puzzle, yet the process of creating, managing, and utilizing SBOMs is enveloped in mystery for many. This training demystifies the subject, offering hands-on expertise to practitioners caught during this challenge. This masterclass adopts a practical and focused approach, starting with an understanding of what SBOMs are, followed by the processes of creating, storing, and validating them. We then delve into how maintaining such an inventory can help organizations prioritize their security efforts from a supply chain perspective.
Anant Shrivastava is a highly experienced information security professional with over 15 years of corporate experience. He is a frequent speaker and trainer at international conferences, and is the founder of Cyfinoid Research, a cyber security research firm. He leads open source projects such as Tamer Platform and CodeVigilant, and is actively involved in information security communities such as null, OWASP and various bsides and defcon groups.
Kumar Ashwin is a seasoned security professional with expertise in web, cloud, and software supply chain security. He's active in security communities like The Open Security Community and DEFCON Cloud Village, contributing through talks and developing Capture The Flag challenges. Ashwin's experience spans from offensive security to security engineering, providing unique insights at conferences like x33fcon and BSides. He plays a key role in enhancing organizational security postures. Discover more at his blog: https://krash.dev